16/^6345 

Jtec'd PCT/PTO 0 2 MAR 2005 

WO 2004/033879 PCT/US2002/032384 



REDUNDANT ENGINE SHUTDOWN SYSTEM 



The present invention relates to shutdown controls for internal 
combustion engines. 

BACKGROUND OF THE INVENTION 

Internal combustion engines are used in a wide variety of stationary 
as well as mobile applications. Internal combustion engines may include either 
spark ignition engines or compression ignition engines. Stationary internal 
combustion engines used for air compressors or electrical power generation are 
frequently used in mining operations in chemical plants or military installations. In 
such applications, conditions may exist that require an engine control system to shut 
down the engine. For example, if the engine coolant temperature exceeds a 
threshold the engine should be shut down. Engines operating in particular 
applications such as environments having hazardous combustible gases or fire pump 
applications are required to meet certification requirements to ensure safe operation. 
Such engines may be required to have an engine shutdown control system. 

Engines operating in hazardous environments require certification for 
their specific environment. For example, hazardous environment applications may 
be categorized as Group II zone 2 or class 1 division 2. Hazardous environment 
applications typically require a redundant engine shutdown system in addition to the 
standard engine shutdown system that is available on most, if not all, commercially 
available electronically controlled engines. For example, standard EN 1834-1 
"Reciprocating internal combustion engines - Safety requirements for design and 
construction of engines for use in potentially explosive atmospheres - Part 1: Group 
II engines for use in flammable gas and vapor atmospheres" and the ATEX directive 
require a redundant engine shutdown system. To meet this standard it has been 
proposed to use the engine controller as a shut down system, however, this approach 
does not meet all requirements for an engine shutdown system under the standard. 
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The above problems are addressed by Applicants' invention as 
summarized below. 

SUMMARY OF THE INVENTION 

According to one aspect of the present invention, an engine control 
system and engine are provided in combination that has at least one engine or 
electronic control module for controlling engine operation in normal operating 
conditions. The engine control module (ECM) includes calibrations for engine 
control and also has a primary shutdown system programmed to shut down the 
engine if one or more of a plurality of engine operating parameters deviate from an 
acceptable level. At least one redundant electronic control module (RECM) is 
programmed to shut down the engine if one or more of the plurality of engine 
operation parameters deviates from an acceptable level. 

According to another aspect of the invention, the engine control 
module and shutdown system electronic control module are structurally identical but 
programmed differently. The ECM provides full engine control functions including 
the software for engine shutdown. The RECM is structurally identical to the ECM 
but is programmed differently so that the engine module provides full engine control 
functions including software for engine shutdown while the shutdown system 
module only includes software to provide engine shutdown. Alternatively, the ECM 
and RECM may both be programmed to provide full engine control functions 
including software for engine shutdown so that the RECM can be used in place of 
the ECM. 

According to other aspects of the invention, the ECM and RECM 
may monitor a wide variety of sensors or other indicators to determine if a sensor 
or indicator indicates that the engine parameter is above a threshold level. Examples 
of sensors that are directly related to the engine operation that may be monitored 
include engine coolant temperature sensors, oil temperature sensors, exhaust 
temperature sensors, oil pressure sensors, turbo-charger compressor outlet 
temperature sensor, coolant level monitor, engine oil level monitor, engine RPM 
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tachometer, inter-cooler temperature, and engine vibration sensors. The control 
system may also monitor sensors that are not associated with the engine. Examples 
of external sensors include environmental gas detection sensors for sensing the 
presence of potentially dangerous gasses in the air around the engine and 
transmission temperature monitors. 

The ECM or RECM may shut down the engine in various ways 
including shutting off fuel supply, air supply, or electronic control signals. Either 
system may also be used to trigger an external shutdown system such as a Halon 
injection system or an air shut off valve. If sensors indicate a deviation from the 
acceptable level and the ECM fails to shut down the engine, the RECM may activate 
an alarm or send a shutdown command to the engine electronic control module by 
means of a digital communication link. 

These and other aspects of the invention will become apparent in view 
of the attached drawings and detailed description of a preferred embodiment of the 
invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIGURE 1A is a partially schematic side elevation view of a 
compression ignition internal combustion engine; 

FIGURE IB is a schematic representation of a shutdown ECM; 

FIGURE 2 is a schematic representation of a redundant shutdown 
device controlling external engine shutdown, alarms, and other displays that are 
activated in response to monitored engine sensors and external sensors; and 

FIGURE 3 is a flow chart illustrating the process of the present 
invention wherein engine parameters are monitored along with external sensors to 
determine if the engine should be shut down due to the detection of hazardous 
conditions. 
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DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT(S) 

Referring now to Figures 1A and IB, an engine 10 is shown that is 
a compression ignition engine. An ECM 12 that is calibrated to operate the engine 
10. The ECM 12 is programmed to shut down the engine in certain circumstances. 
A shut down ECM 14 is shown in Figure IB. The shut down ECM 14 may be 
attached to the engine 10 or may be mounted at a location remote from the engine. 
The engine includes sensors that detect specified engine operating conditions. A 
coolant temperature sensor 20 senses the temperature of die engine coolant. An oil 
temperature sensor 22 senses the temperature of the oil. An exhaust temperature 
sensor 24 is provided for sensing the temperature of the exhaust. A turbocharger 
compressor outlet temperature sensor 26 is provided for sensing the temperature of 
the turbocharger compressor outlet air. Turbocharger compressor outlet 
temperature can also be calculated. An oil pressure sensor 28 is provided to sense 
the pressure of the oil circulating in the engine. A coolant level sensor 30 senses 
the coolant level. An oil level sensor 32 senses the level of the oil in the oil 
reservoir. A tachometer 34 senses the speed of the engine operation and may be 
expressed in terms of RPM. An intercooler temperature sensor 36 may be used, if 
desired, to monitor the temperature of an intercooler. An engine vibration sensor 
or a variety of other sensors can also be provided. 

If required under relevant standards, the shutdown ECM may have 
a corresponding set of redundant sensors. As shown in Figure IB, redundant 
sensors 20' to 36' corresponding to the sensors 20 to 36 connected to the ECM 12 
are indicated by corresponding primed reference numerals. In addition to the above 
sensors, other external sensors (not associated with the engine) may be provided that 
are monitored by the shutdown ECM 14 for engine shut down conditions such as a 
hazardous gas sensor 38 or a transmission fluid temperature sensor 40. 

Referring now to Figure 2, a control system diagram is provided 
wherein the engine 10 is controlled by and provides sensor outputs 50 to a primary 
engine ECU 12. Redundant sensor outputs 52 are provided to the redundant 
shutdown ECM 14. In addition, external sensors 54 provide outputs to the 
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redundant shutdown ECM 14. The sensor outputs 50 correspond generally to 
sensors 20 to 36 in Figure 1A, while the redundant sensor outputs correspond to 
redundant sensors 20' to 36' in Figure IB. External sensors 54 correspond to 
hazardous gas sensor 38 and transmission oil temperature sensor 40 but may also 
5 include other sensors that are external to the engine 10. 

Timers may also be included as part of the engine shutdown logic. 
For example, if a first threshold level is exceeded, torque reduction may be 
required. If then the second threshold is exceeded, a 30 second timer may be 
activated prior to shutdown. However, the RECM, most likely, will be an 
10 immediate shutdown. 



A communication link 56 establishes communication between the 
redundant shutdown ECM 14 and the primary engine ECU 12. Engine shutdown 
devices 58 may be activated by either the primary engine ECU 12 or the redundant 
shutdown ECM 14 in response to either receiving an appropriate output from any 
15 of the sensors referred to by reference numerals 50, 52 or 54. 

Engine shutdown devices 58 may include an air flap or valve that cuts 
off air to the engine or could also be a Halon injection system that injects Halon or 
other inert gas into the engine for rapid shutdown. 

Alarm 60 may be activated by primary ECU alarm output 62 or 
20 redundant ECU alarm output 64. For example, if one of the temperatures, 
pressures, or fluid levels monitored by the primary engine ECU 12 or the redundant 
shutdown ECM 14 exceeds a threshold level, an engine alarm 60 will be activated 
to alert responsible personnel as to the sensed problem. 

Engine fueling controls 66 are generally controlled by the primary 
25 engine ECU 12 as indicated by the fueling controls arrow 66. It is possible that 
software for controlling the engine fueling could also be provided in the engine 
shutdown ECM 14. However, that software may not be enabled to control engine 
fueling unless the redundant shutdown ECM 14 was to be substituted for the 



-5- 



WO 2004/033879 



PCT/US2002/032384 



primary engine ECU 12 in an emergency. Li this situation, the software could be 
enabled by switching appropriate wires from the ECM to the RECM to control the 
engine fuel system. 

An ignition switch 68 circuit based engine shutdown mechanism 
5 could be provided, for example, by providing a safety shutdown circuit 70 in series 
with the ignition switch 68. The safety shutdown circuit 70 shown comprises a 
normally closed relay 72 that is opened upon receiving a shutdown signal from 
either the primary engine ECU 12 or the redundant shutdown ECM 14. Other ECU 
ignition disabling circuits could also be used. If the safety shutdown circuit 70 is 
10 activated, the power connection to the battery 74 is interrupted to cause engine 
shutdown. 

Referring to Figure 3, a flowchart is provided that illustrates an 
algorithm that may be used in accordance with the present invention to control 
engine shutdown in both the ECM 12 and the shutdown control module 14. The 
15 redundant system 80 includes both the engine control unit 12 and the redundant 
engine shutdown system 14. 

As it relates to the engine control unit 12, the system determines at 
82 if any multiple threshold parameter is above threshold A. Examples of multiple 
threshold parameters would include outputs of sensors 20-26. For example, if the 

20 oil temperature sensor is classified as a multiple threshold parameter, a threshold 
temperature of 100°C could be set as threshold A which upon exceeding threshold 
A, the engine control unit would reduce engine torque and activate a first level 
alarm at 84. The system will continue to monitor the parameter and at 86 would 
determine if the multiple threshold parameter is above threshold B. In the example, 

25 the threshold B for the oil temperature sensor could be 120°C. Upon exceeding 
threshold B, the primary ECU generates an engine shutdown signal at 88. Upon 
generating the shutdown engine signal at 88, the system could cut off fuel supply or 
interrupt the ignition circuit at 90. The system could also activate external engine 
shutdown devices at 92 and activate second level alarm and message panel outputs 

30 at 94. 
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If the multiple threshold parameter was not exceeded, the system 
could then determine if any critical parameter is above threshold A. Alternatively, 
the system could be programmed to check critical parameters first and then check 
multiple threshold parameters. If a critical parameter exceeds a threshold, the 
5 system immediately generates a shutdown signal at 88. The system then proceeds 
through the steps outlined including cutting off the fuel supply and interrupt at 90, 
activating the external engine shutdown device at 92, and activating second level 
alarm and message panel at 94. If neither non-critical or critical parameters are 
above threshold A, the system will repeat the cycle and continue monitoring. 

The system 80 also includes the redundant engine shutdown system 
14 that tests to determine if any engine parameter is above threshold C at 98. 
Threshold C is a threshold corresponding to or that is a slight variance from 
threshold B for multiple threshold parameters and threshold A for critical 
parameters. If threshold C is exceeded and engine control unit 12 has not already 
shutdown the engine, a redundant engine shutdown system generates an engine 
shutdown signal at 100 that disables the ECM or interrupts the ignition at 102. The 
shutdown engine signal also activates the external engine shutdown device at 104 
and activates the alarm and message panel at 106. If the engine parameters are not 
above threshold C at 98, it is determined whether any non-engine parameter is above 
threshold C at 108. If so, for instance if a hazardous combustible gas is detected at 
108, an engine shutdown signal is generated at 100 and engine shutdown is initiated 
by the redundant engine shutdown system 14. If no non-engine parameter is above 
threshold C, the redundant engine shutdown system 14 continues to monitor engine 
operation with engine function sensors and non-engine parameter sensors. 

25 While embodiments of the invention have been illustrated and 

described, it is not intended that these embodiments illustrate and describe all 
possible forms of the invention. Rather, the words used in the specification are 
words of description rather than limitation, and it is understood that various changes 
may be made without departing from the spirit and scope of the invention. 
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